Board Engagement, Training and Reporting - Compliance Strategists

Excerpted from The Complete Compliance and Ethics Manual, 2nd Edition; Copyright 2010, Society of Corporate Compliance and Ethics. Reprinted with permission.

Board Engagement, Training and Reporting: Strategies for the Chief Ethics and Compliance Officer By Donna C. Boehme1 “There is too much information. We spend too much time looking at things that are okay. We need to figure out how to concentrate on what is really important.”

– 2009 National Association of Corporate Directors Blue Ribbon Report2

Overview Board engagement, training and reporting is a critical but often overlooked area of practice for the chief ethics and compliance officer (CECO). In 20+ years of practicing in the field, both as in-house CECO and outside advisor, I’ve encountered countless programs that have, on paper, all the elements of an effective program, as envisioned by the US Federal Sentencing Guidelines (FSG) and other standards. Many of these programs are implemented with the best of intentions and feature most, if not all, the FSG bells and whistles. Yet so many lack the key foundational components necessary to make those programs actually work as intended: active, knowledgeable Board engagement and a visible mandate from the top of the organization. Little practical advice has been offered about engaging, training and reporting to the Board, for the likely reason that most CECOs are struggling just to get some face time on the Board (or Audit Committee) agenda, and the profession is in a learning curve with rapidly evolving practice in this space. At the same time, a number of high-profile settlements and important policy developments have bolstered the case for heightened Board oversight through direct, unfiltered reporting by CECOs to the governing authority. A recent RAND Symposium, Directors as Guardians of Compliance and Ethics within the Corporate Citadel: What the Policy Community Should Know 3 (RAND Directors Symposium), explored the role of director oversight of compliance and ethics, with some important takeaways on the state of Board readiness and education. Notably, a 2009 Report of the NACD Blue Ribbon Commission, Risk Governance: Balancing Risk and Reward, finds that 51.6% of directors surveyed named “[D]irectors’ understanding of how to execute risk oversight” to be their top challenge. 4 However, despite the increased expectations on Board oversight for compliance and ethics, a 2009 survey of 1,600 Association of Corporate Counsel5 members found that: ● Only half of the survey respondents reported that their organizations assess in any way whether they operate ethically — and more broadly — just over a third reported that they have a mechanism for assessing whether their organizations operate responsibly.

1


● Only half of the respondents reported providing their boards with compliance or ethics training. ● 78% reported that their organizations never or only rarely undertake ethics risk assessments.6 A Conference Board benchmarking survey of 225 companies in a broad spectrum of industries similarly raised questions about “the degree to which boards are sufficiently informed on compliance concepts and issues to chart the program’s future course,” finding that 58% of the surveyed organizations did not train the board consistent with Federal Sentencing Guidelines training criteria and, of those that did train, 31% did so for less than one hour annually.7 A careful analysis of these developments, guidance and practical experience suggests that CECOs need to develop a much more robust approach to Board engagement, and Boards need to assess the state of their understanding, training and reporting mechanisms on compliance and ethics matters. This chapter offers CECOs some practical suggestions and guidance on crafting a successful strategy for Board engagement, training and reporting, with a view to supporting effective oversight by a “compliance-savvy” Board and encouraging a vigorous, best practice approach to this critical CECO activity.

I. Board Oversight of Compliance and Ethics – A Rapidly Evolving Role The CECO’s relationship with the Board should always begin with a shared working knowledge of the evolving role of the Board to oversee compliance and ethics of their firms. Not only is this an important opening conversation during any basic Board training (because any effective learning needs to start with the “why”), but also the CECO should always structure communications with the Board in a manner that is fully responsive to their accountability for compliance and ethics governance. The mistake many CECOs make is providing the Board with too much information (all at one time), irrelevant information, or information without sufficient context. The art and science of Board engagement, training and reporting is to develop a finely tuned sense of what kind of information, statistics and other data the Board really needs to see, and provide it in digestible, memorable, concise, easy to understand portions that are all part of a continuing conversation about compliance and ethics in the firm. Discussion on the “what” and “how” of Board communication is set out below under item IV: “Practical Considerations in Engagement, Training and Reporting.” Any effective communication begins with understanding the point of view of the audience. (When considering the Board audience, CECOs would do well to remember the opening quote above.) Outside of compliance and ethics, today’s Boards already have a duty of care to oversee a Sisyphean array of enterprise issues including risk management (financial and non-

2


financial), CEO and senior management succession, executive compensation, corporate strategy, major transactions, and corporate responsibility. In a 2009 report on the role of the Board for enterprise risk management, the Committee of Sponsoring Organizations of the Treadway Commission noted that “The role of the board of directors in enterprise-wide oversight has become increasingly challenging as expectations for board engagement are at all time highs… But, the complexity of business transactions, technology advances, globalization, speed of product cycles, and the overall pace of change have increased the volume and complexities of risks facing organizations over the last decade.”8 Meanwhile, Boards have limited time and resources and multiple constituencies with often divergent interests, and receive an increasing volume of information and data with growing complexity and uncertainty. 9 Viewed within this context, the CECO is entering a crowded field of information flow to the Board and therefore must make every word (and minute of Board agenda time) relevant, valuable, and directly supportive of the Board oversight role. To their already daunting set of responsibilities, enter the relatively new Board role for oversight of compliance and ethics. Though there is little discussion or guidance on this oversight role, one governance expert calls it “potentially one of the principal areas in which corporate directors face significant personal exposure.”10 In a recent RAND invited white paper, “Evolving Role and Liability of the Board of Directors for Ethics and Compliance Oversight,” Gary Brown of Baker, Donelson, Bearman, Caldwell & Berkowitz P.C., further observes that: “[D]irectors must remain constantly attentive to the compliance programs that they oversee, as new agency pronouncements and high-profile settlement agreements provide new insights on “effective” compliance practice, and by extension, on the directors’ oversight role.”11 Legal experts trace the definition of the Board’s responsibility for compliance and ethics to the Delaware Caremark decision (1996), as augmented by Stone v. Ritter (2006) et al.12 In the aggregate, these state court decisions establish the parameters of Board duty of care for corporate compliance activities. But while Caremark and its progeny set the foundation for director oversight of compliance and ethics, these cases are only part of the story. Judiciary pronouncements on director duty of care must be read against the further guidance contained in the FSG setting out the elements of an effective program to be overseen by the Board. 13 The FSG further establish the Board obligation to be “knowledgeable” about the content and operation of the company program and exercise “reasonable oversight” over its implementation and effectiveness.14 Still more detail on Board oversight is contained in the 2010 FSG amendments, which stress the significance of a “direct reporting obligation” by the CECO to the Board to avoid filtering of information by senior management.15 Other relevant developments include the Sarbanes-Oxley Act; the OECD Good Practice Guidance for Internal Controls, Ethics and Compliance (for anti-bribery efforts by companies in 38 nations); judicial and regulatory action; agency pronouncements; and an evolving body of high-profile

3


settlement agreements.16 All of these factors should be considered when considering Board oversight of compliance and ethics. A sampling of standards and other developments informing Boards on their oversight obligations for compliance and ethics follows: ● Delaware State Law Decisions (Caremark, Stone v Ritter et al.) As noted, the Delaware cases establish the basic parameters for directors’ duty of care for corporate compliance activities. Key holding of Caremark, as validated by Stone et al.: board members may be subject to personal liability if they (a) fail to implement any reporting or information system or controls, or (b) having implemented such a system, fail to monitor or oversee its operations (e.g., ignore red flags).17 These cases take on additional meaning when read against the more detailed standards of the FSG and other evolving guidance. ● US Federal Sentencing Guidelines (including 2004 and 2010 Amendments) In addition to defining the elements of an effective compliance and ethics program to prevent and detect organizational misconduct, the 2004 amendments expressly set out directors’ duty to be “knowledgeable about the content and operation of the program” and to exercise “reasonable oversight” over its implementation and effectiveness. The expectation for the Board to have direct accountability for oversight (i.e., not filtered by management) is further underscored by the 2010 FSG amendments, which cite a personal, “direct reporting obligation” of the CECO to the Board as required criteria for companies seeking credit under FSG where “high-level personnel” were involved in misconduct.18 ● Sarbanes-Oxley Act The 2002 Sarbanes-Oxley Act established, among other things, new levels of accountability for directors of public companies, including the direct duty to establish a confidential means for employees to raise concerns about fraud to the Board.19 ● OECD Good Practice Guidance on Internal Controls, Ethics and Compliance This annex to the 2009 OECD Recommendation for Further Combating Bribery of Foreign Public Officials in International Business Transactions sets out guidance for anti-bribery compliance programs to be implemented by 38 signatory nations, including expectation for oversight by “senior corporate officers, with an adequate level of autonomy from management, resources, and authority.”20 More CECO autonomy translates into direct, unfiltered oversight by the Board. ● Relevant Industry Standards Some regulated industries such as health care have additional standards and guidance

4


for Board oversight, such as the OIG/AHL Corporate Responsibility and Corporate Compliance: A Resource for Health Care Boards of Directors.21 ● Tenet As part of its $900 million settlement with the Office of Inspector General for Health and Human Services for kickbacks, fraud and other misconduct, the company agreed to unprecedented commitments regarding Board oversight, including a quarterly review and certification by the Board.22 ● Pfizer Settlement In addition to criminal and civil fines of $2.3 billion for marketing abuses (the largest corporate criminal fine in corporate history), the company agreed on specific structures to ensure director oversight of the compliance program, including quarterly director certification of the program, a new reporting structure for the CECO that stipulates a direct reporting line to the CEO with direct access to the Board, and formation of a Compliance Committee chaired by the CECO.23 ● Mellon Bank In 2006, the US Attorney for Western District of Pennsylvania entered into a settlement agreement with Mellon Bank after employees at its Pittsburgh office systematically destroyed tax returns rather than miss a deadline to process them on behalf of the IRS. The settlement agreement sets out clear undertakings by the Board to improve oversight of the compliance and ethics program including training and issuance of a strong Board resolution on Board role, and direct reporting line and direct access for CECO to the Board.24 ● Siemens Settlements with Executive Board Members As part of the fallout from the $1.3 billion U.S. penalty against the German industrial giant for corruption and bribery, the company pursued individually eleven former members of its managing and supervisory boards for failing to properly oversee the firm’s business practices, resulting in nine settlements between $1m and $5m per director. 25 The company is continuing to pursue two other directors for damages. ● Department of Justice — McNulty Charging Memorandum The adequacy of Board oversight was expressly noted as a key factor to be considered by prosecutors in deciding whether to charge corporations. In a 2006 memorandum setting out internal guidance for prosecutors to use in deciding whether to charge corporations and in plea agreements, the Department of Justice (through the thenDeputy Attorney General, Paul McNulty) noted that in considering “the adequacy of a pre-existing compliance program,” prosecutors should ask, inter alia, whether the board

5


of directors performed independent oversight instead of simply “unquestioningly ratifying officers’ recommendations.”26 ● Agency speeches and pronouncements Further guidance can be found in the speeches of various agency officials specifically addressing their expectations for the Board oversight role for compliance and ethics.27 When communicating with the Board, the CECO should be able to articulate how oversight for compliance and ethics fits into the overall Board duty of care for enterprise risk management, and how the CECO will be able to directly support this expanded Board responsibility through focused reporting. In fact, this discussion should be part of any initial Board training to set the context for all subsequent engagement. Of course, there is sometimes a “chicken-and-egg” phenomenon associated with the CECO-Board relationship. A Board must understand its duties and the landscape of compliance and ethics before fully appreciating the role of the CECO in supporting it. At the same time, the CECO needs to have face time before the Board to articulate the context for the reports and gain the confidence and support of the Board for the program and continued engagement. For some Boards and CECOs, this initial stage may require the assistance of other influencers in the company, such as the General Counsel, Corporate Secretary, champion within the ranks of the Board, or an independent assessment of the program, to create engagement opportunities. 28 Takeaway: Board responsibility for compliance and ethics oversight is rapidly evolving. CECO must be able to articulate context for this role and deliver focused, relevant Board reports and other communications to support this expanding accountability.

II. When the CECO Does Not Have Unfiltered Access to the Board As noted above, a leading trend is emerging among policymakers, regulators, and prosecutors to encourage the CECO’s direct, unfiltered access to the Board, both to facilitate the ability of directors to obtain relevant information necessary to discharge their oversight duties and also to support adequate autonomy of the CECO (and program) from company management. Several important white papers address the direct linkage between the positioning of the CECO as a senior-level, empowered member of management (i.e., a seat at the table, adequate financial and personnel resources), and the effectiveness of the program led by that CECO. See “Perspectives of Chief Ethics and Compliance Officers on the Detection and Prevention of Corporate Misdeeds” (RAND 2009),29 “The Business Case for Creating a Standalone Chief Compliance Officer Position” (Ethisphere 2010) 30 and “Leading Corporate Integrity: Defining the Role of the Chief Ethics and Compliance Officer” (ERC et al. 2007).31 The role

6


of the CECO has also been cited by John Hansen, in his role as Chair of the Compliance and Ethics Committee of the Association of Corporate Counsel, as critical to the ability of the Board to oversee compliance and ethics: Boards are entitled to straightforward reporting that is not subjected to prior review, approval or excessive editing by intervening management …. Direct access to the board by the individual with day-to-day operational responsibility and oversight by the board are corollaries. The former cannot be abridged without compromising the latter.32 Nevertheless, many CECOs continue to be positioned in a manner that does not permit or encourage a direct relationship with the Board. For instance, a structure where the CECO reports to the General Counsel, CFO or other senior executive creates a potential for the filtering of compliance and ethics reports to the Board and may fail to properly empower the CECO. CECOs in this position have a more difficult challenge in engaging, training and reporting to the Board. In this less-than-ideal situation CECOs need to be vigilant in their engagement of the C-suite and other Board influencers, and be alert to opportunities to expand their reporting opportunities to the Board. Consider meeting with the Corporate Secretary (who typically sets the Board agenda) or a Board champion to discuss the Board’s oversight obligations and the CECO role in supporting that accountability, with copies of relevant white papers or other writings on the topic handy for a leave-behind. Or, when obtaining an independent evaluation of the program (which should be part of the program in any event), make sure the review includes the mechanics of how information is raised to the Board and the state of Board training and engagement, especially leading practices and recent developments in this area. Takeaway: CECOs without direct, unfiltered access to the Board need to find creative opportunities to engage the Board. Be alert to leading trends and disseminate information with company influencers.

III. The Role of the CECO in Supporting a Compliance-Savvy Board Tom Perkins, a former director of Hewlett-Packard, has made some caustic observations on the increasing obligations of Boards for compliance and ethics oversight. After resigning from the HP board in noisy protest over the “questionable ethics and the dubious legality” of investigation methods sanctioned by then-board chairman Patricia Dunn during the infamous corporate spying scandal, Mr. Perkins wrote an opinion piece in the Wall Street Journal entitled “The ‘Compliance’ Board.” The piece decried the governance trend of directors more focused on legal compliance (the “compliance board” model) than on strategic business guidance (the

7


“guidance board” model).33 There is both bad news and good news for Mr. Perkins. The bad news: in view of the crushing weight of regulatory, judicial and other trends to the contrary, this view is shortsighted and highly inadvisable for both individual directors and their constituent firms. Directors who discount the critical role of compliance and ethics oversight fail to understand that compliance and ethics is a fundamental element of business strategy. A responsible board understands that the two must be inextricably integrated. Given the express guidance of the Federal Sentencing Guidelines and other policy developments, directors who fail to take an active oversight role of their firm’s compliance and ethics program as part of overall strategy do so at the company’s (and their own individual) peril. Anyone who doubts that a culture of integrity is vital to a company’s ‘license to operate’ should Google the long list of corporate scandals of Tyco, Enron, WorldCom, Siemens and Pfizer et al. And now the good news: Boards have a natural resource and agent in the chief compliance officer to separate wheat from chaff and bring the key information, critical trends, and focused discussion to the boardroom, if the CECO is properly positioned, empowered, and resourced to do so. With such an empowered CECO in place, a Board should not be wandering in the wilderness wondering how to navigate a mile-high stack of statistics, data and management reports — which can indeed be an enormous drain on precious Board time. It is the unique positioning of the CECO to be able to look across the organization with a compliance and ethics lens and report on the highest compliance risks, gaps and challenges of the firm, and the programs in place to manage them. As noted by Keith Darcy, Executive Director of the Ethics & Compliance Officer Association: Clearly, many other key executives have responsibilities to inform and assist the board in the discharge of specific aspects of their fiduciary duties, such as the CEO, CFO, director of human resources and internal auditor. It follows that, in the critical area of compliance, integrity and culture issues, the CECO is similarly the principal agent for the directors in meeting their regulatory and extra-regulatory responsibilities.34 This view is further supported by the findings of the RAND Directors Symposium, which brought together over two dozen thought leaders from the director, compliance and ethics officer, policy, government and academic communities to discuss how the Board can optimize its discharge of this rapidly evolving oversight role. The Symposium report noted that: [D]irectors are not operating in a vacuum, when it comes to carrying out their responsibility for C&E oversight. The directors have an agent in the person who carries day-to-day responsibility for overseeing a firm’s C&E program….The CECO provides a major conduit of information on

8


compliance and ethics matters back to the board. When properly positioned and empowered, the CECO can become a key resource for the board in fulfilling its own mandates to monitor and insure good compliance and ethics practice within the firm.35 Now back to Mr. Perkins’s Wall Street Journal opinion piece in which he famously described “compliance directors” as “plug-to-plug compatible” with any company: well, that’s simply not the case. A truly engaged director who understands the significance of the compliance and ethics oversight role seeks to be “knowledgeable” about and exercise “reasonable oversight” over, the unique legal, ethical and culture risks of his constituent firm arising from its specific industry, operations, history, jurisdictions and challenges, as a key part of company strategy. And the role of an empowered, senior-level, experienced CECO is critical support to this evolving accountability. Takeaway: The empowered CECO with sufficient autonomy from management and direct, unfiltered access to the Board can play a key role in supporting Board oversight of compliance and ethics.

IV. Practical Considerations in Engagement, Training and Reporting Given the heightened expectations on Board oversight for compliance and ethics and the unique role of the CECO in supporting that role, a robust approach to Board engagement, training and reporting should be a primary focus of every CECO. As the subject matter expert for compliance and ethics in the firm, the CECO should be the “dean” of the Board curriculum in compliance and ethics, not only in supporting the Board’s “training” in its oversight role, but also in “reporting” to the Board on the content, implementation, operation and effectiveness of the program. However, in many organizations, the reality has not caught up with the ideal and what passes as board training, engagement and reporting in compliance and ethics falls significantly short of supporting today’s judicial, regulatory and prosecutorial expectations for proactive board oversight. As noted in the RAND Directors Symposium, [C]orporate directors do have basic responsibilities to monitor ethics and compliance in their firms and to infuse related values into their decisionmaking, but… these responsibilities are broadly hampered by lack of training and awareness on the part of many outside directors.36 In too many organizations, Board “compliance training” has consisted of a one-time or annual briefing on current legal developments, a mile-high helicopter view of a litany of corporate scandals (in “other” companies), employee hotline statistics (often without proper

9


context to make them meaningful or relevant), or a one-way lecture by an outside legal expert. In today’s corporate environment, where the actions or inactions of the Board are likely to be highly scrutinized in the aftermath of any high-profile corporate misconduct, this falls woefully short. For a discussion of the evolving standards for Board engagement, training and reporting, see “Not Your Father’s Board Training: What Today’s Boards Need to Know About Compliance and Ethics,”37 which is attached in outline form in Appendix 3L, on page A-101. CECOs need to engage their company’s Board in two basic ways: “training” and “reporting.” Compliance and ethics training supports the Board’s responsibility to be “knowledgeable about the content and operation” of the firm’s compliance program, including the basic context of the elements of an effective program, the Board’s oversight role, and best practices of peers and in the field. (This training can be delivered by the CECO in combination with some outside experts.) A well-prepared Board will have a basic understanding of the right questions to ask of the CECO and other management about the firm’s compliance and ethics activities. For a basic list of questions Boards should be asking, “Twenty Questions That Boards Should Ask about Compliance and Ethics,” an excerpt from the proceedings document from the RAND Directors Symposium, is attached in Appendix 3K, on page A97..38 CECOs also need to deliver periodic “reporting” to the Board on the firm’s program, risks, gaps and challenges, to support the Board’s responsibility to exercise “reasonable oversight” of the program’s implementation and effectiveness. As noted below under “Don’t Scare the Horses,” the content of such reports must be relevant, objective, supported by facts, added-value and calibrated to the right level of detail. But notwithstanding the two distinct types of Board engagement, due to the scarcity of Board agenda time available to the CECO, it is entirely logical to combine both reporting and training in a single session. In fact, some of the best “stealth training” can be delivered in the context of a Board report. For instance, while reviewing the status of the company’s anti-bribery program, the CECO may be able to engage the Board in a “deep dive” on the key risk areas of corruption, including typical red flags, the use of foreign intermediaries, and the critical role of due diligence in selecting thirdparty agents. A thumbnail summary of some sample topics covered in “training” vs. “reporting”:

10


Board Training

Board Reporting

● ● ● ● ● ● ● ● ● ● ●

● ● ● ●

Board oversight role What questions should Board be asking Risks created by directors, in Board role What an effective program looks like Root causes of misconduct Best practices by peers and in field Code of Conduct Deep dive into key risk areas Current developments in C&E Industry risks Scenarios for Board action/oversight

● ● ● ● ● ●

Elements of company program “Report card” on program status Benchmarking surveys Current high risk areas and programs to address them Trends, gaps, challenges State of ethical culture Focus groups/employee surveys Other relevant metrics in context Risk assessment results Business compliance activities

Every Board is different, but every Board is the ultimate overseer of its constituent firm’s compliance and ethics activities. Thus, the effective CECO will develop as a priority, a fit-forpurpose Board engagement strategy with the view to building the Board’s awareness, understanding and oversight of the compliance and ethics program, and creating needed support from the top of the house for necessary management support and ownership of compliance activities. Although Board engagement strategy can never be “one size fits all,” the following are some practical suggestions for effectively engaging, training and reporting to the Board: ●

“Know Thy Board” Every CECO should have a working knowledge of each Board member’s background, experience, other company affiliations and any particular areas of interest and concern in order to optimize the impact of any communication. If the head of the Audit Committee is also on the board of Company X, and Company X has a top-notch risk assessment protocol that the constituent company does not have, that might be an interesting point to raise during a Board briefing. On the flip side, if Mr. Jones is also on the Board of Company Y, which has a poorly implemented or “paper” compliance program and was just hit with news of a U.S. Department of Justice investigation, discussion of this development should be handled with care. Over time, some Board members may reveal themselves to be inquisitive, engaged and interested in matters of compliance and ethics. This interest should be cultivated — the CECO may have found new Board champions for the program.

● Planned Curriculum Too many CECOs make the mistake of churning out reports, creating PowerPoints and spitting out statistics without careful thought and planning on the long-range view of Board engagement. Every session before the Board and every written communication is 11


an opportunity for strategic engagement that can educate the Board and create support for the program. In fact, the opportunity to report to the Board is one of the most powerful tools in the CECO shed, because if management, other functions and the businesses understand you are periodically reporting to the Board, they have an incentive to work with you to make sure the information about their piece of the world is accurate and positive. A good relationship with the Board starts with a strategic plan for engagement, training and reporting – what needs to be communicated when. Rather than giving a one-time presentation, CECOs should view their engagement of the Board as a continuing curriculum, rolled out in digestible, relevant, high value increments of information.39 At the same time, the CECO should not be afraid to repeat information the Board has heard before, where the context is important to the directors’ dialogue. A carefully planned Board curriculum builds upon past conversations and topics and can become much more meaningful and robust over time. ● Don’t Scare the Horses In England they have a saying: “Don’t scare the horses,” and at times, I’ve heard people use this dictum when talking about Board reporting and training. On the one extreme, a CECO that raises irrelevant or “in the weeds” information to Board level will quickly lose credibility with his audience. The CECO needs to develop a calibrated sense of the big picture as seen by the Board, and use his or her reports to paint an accurate rendering of the risks, gaps, challenges, program status and way forward, with “deepdives” as necessary on key risks or material matters. It goes without saying that all opinions must be supported by objective facts, carefully weighted based on experience, expertise and good judgment. The Board doesn’t have to know everything the CECO knows or become a subject matter expert in compliance and ethics. The Board needs relevant, accurate and meaningful information, whether by statistics, anecdotal or narrative reports that directly support its overview of the program and the culture of the company. Above all, the Board needs context and data to elicit the right questions to ask. On the other extreme, some CECOs make the mistake of “overselling” the program, reporting disproportionately on the compliance successes and achievements of the company, without adequate focus on gaps and areas of challenge. It is important to remember that the CECO is not the guarantor of the company’s compliance and ethics. Rather, the CECO is the subject matter expert and leader of program development and implementation, requiring action on the part of line management and functional business partners. An important part of the CECO’s report to the Board is an ongoing, objective view of the level of implementation by others in the company. ● A Word About Statistics Statistics can be a powerful, objective indicator for the Board of program performance, company risk and trends when carefully selected, organized, interpreted and offered in

12


a useful context. On the other hand, statistics that are irrelevant or presented without proper context are just numbers on a page. Consider the difference between simply presenting the number of calls (and the relevant areas of misconduct) to the confidential employee helpline in a particular region and the more meaningful picture that can be gleaned from statistics on case closure, process improvements and disciplinary action, retaliation monitoring40 or other unique company metrics, combined with anecdotal data. Or consider presenting a “balanced scorecard” as a regular feature of Board briefings, illustrating current progress on each key element of the compliance program, action plans in the business, training and helpline statistics, or other meaningful data, including illustrative anecdotal information from the field. Avoid making statistics the “tail wagging the dog,” but rather use them judiciously to demonstrate a trend, gap, concern or progress — always as a jumping off point to facilitating a meaningful Board conversation. ● Communicate and Collaborate to Avoid Redundancy, Silos and Inconsistencies It is important to remember that the CECO is just one of many company managers and executives on the Board agenda. Nothing takes money out of the credibility bank faster than inconsistent, inaccurate or redundant information presented to an overloaded Board. For this reason, a savvy CECO will collaborate with other functions having ownership over parts of the compliance program to avoid silos and ensure that areas of partnership are presented accurately and without inconsistency. For instance, if the CECO reports on gaps in the environmental compliance program and the health, safety and environmental function reports that the same program is “best practice” or “leading edge,” everybody has a problem. ●

“No Surprises” and Independent Opinion vs. Factual Accuracy Contrary to some viewpoints out there, the CECO’s primary job is not to be the hall monitor that routinely sends others to the principal’s office. At the same time, the CECO should not be afraid to report objectively and accurately on the health and status of the program, which sometimes makes those with less than a stellar report card unhappy. Here the “no surprises” policy is usually the best. If the CECO and her team are working regularly and collaboratively with the functions and businesses, then the content of the CECO’s report should not be a surprise. In fact, under certain circumstances, the CECO can gain significant traction by sharing drafts of relevant portions of a report or selected statistics in the prevailing spirit of “How can we make this better?” A word of caution on taking comments on draft reports to the Board: the opinion of the CECO should be independent and not influenced by pressure, express or implied, from the business or others in the organization. This is the driving thinking behind the “direct, unfiltered access” trend discussed above. CECOs should always be open to corrections of facts. Changes to a balanced, well-considered CECO opinion

13


supported by the facts is a different matter — absent a change in the underlying facts, a CECO that agrees to “modifying” his opinion is on a very slippery slope indeed. ● Helicopter View vs. Deep Dives on Key Risk Areas Some helicopter views are helpful, in particular an integrated picture of the health and status of the compliance and ethics program is directly responsive to and supportive of the Board’s oversight role. However, the strategic Board engagement plan should also include “deep dives” into key risk areas so that the Board can understand the nature of the challenge and the mitigation plans in place to address them. A robust Board curriculum on compliance and ethics should include in-depth discussions of such key risks over time, combined with continuing reporting on the general status of the program. Takeaway: The bar has been raised for Board engagement, training and reporting on compliance and ethics. CECOs need to craft a focused, fit-for-purpose Board engagement strategy that supports the director oversight role and creates critical support from the governing authority for the compliance and ethics program.

Conclusion Board engagement, training and reporting is an evolving area of practice that deserves the highest attention of the CECO. This is because the art, science and skill with which these are delivered have enormous consequences for the success or failure of the overall compliance and ethics program. As the bar is raised for the Board’s evolving oversight role, the quality of Board engagement, training and reporting must similarly rise to the challenges of an increasingly changing, complex and risky corporate environment. With the proper strategy, judgment and information, the CECO’s engagement of the Board can be a meaningful, dynamic conversation that becomes richer with every session and a powerful resource to support the Board in its critical oversight role.

14


Endnotes Donna C. Boehme is Principal, Compliance Strategists LLC and Special Advisor to Compliance Systems Legal Group. For a current biography, see http://www.compliancestrategists.net/id1.html. Additional research for this chapter contributed by Erin Fitzpatrick. 1

Comment on risk governance by a Blue Ribbon Commissioner for the Report of the NACD Blue Ribbon Commission on Risk Governance: Balancing Risk and Reward (Washington, D.C.: National Association of Corporate Directors, 2009). 2

Directors as Guardians of Compliance and Ethics within the Corporate Citadel: What the Policy Community Should Know (Symposium Proceedings, RAND Corp., 2010). 3

4

Report of the NACD Blue Ribbon Commission on Risk Governance: Balancing Risk and Reward.

The Association of Corporate Counsel (ACC) is the world’s largest organization serving the professional and business interests of attorneys who practice in the legal departments of corporations, associations and other private-sector organizations around the globe, http://www.acc.com/aboutacc/index.cfm. 5

Hansen, John, “Corporate Counsel Perspective: The Crisis of Ethics and the Need for a Compliance Savvy Board” in Directors as Guardians of Compliance and Ethics within the Corporate Citadel: What the Policy Community Should Know (Symposium Proceedings, RAND Corp., 2010). 6

Ronald E. Berenbeim, Universal Conduct: An Ethics and Compliance Benchmarking Survey (The Conference Board, Research Report 1393-06, 2006), 7

http://corporatecompliance.org/Content/NavigationMenu/Resources/Surveys/R-1393-06-RR1beneheim.pdf. 8Effective

Enterprise Risk Management Oversight: The Role of the Board of Directors (Committee of Sponsoring Organizations of the Treadway Commission, 2009), http://www.coso.org/documents/COSOBoardsERM4pager-FINALRELEASEVERSION82409_001.pdf. 9

Forces and Change in Governance and Disclosure, Thought Leadership Roundtable (CT Corporation, April 27, 2010).

10Brown,

Gary, “Evolving Role and Liability of the Board of Directors for Ethics and Compliance Oversight,” in Directors as Guardians of Compliance and Ethics within the Corporate Citadel: What the Policy Community Should Know (Symposium Proceedings, RAND Corp., 2010). 11Ibid. 12See

In re Caremark International Inc. Derivative Litigation, 698 A.2d 959 (Del. Ch. 1996) and Stone v. Ritter, 911 A.2d 362 (Del. 2006). 2009 Federal Sentencing Guidelines Manual, Chapter 8 § 8B2.1 “Effective Compliance and Ethics Program,” http://www.ussc.gov/2009guid/8b2_1.htm. 13

14

Ibid.

One of the most closely watched and debated provisions of the 2010 FSG Amendments was new language permitting companies to become eligible for credit (i.e. lesser penalties) even when ‘high-level personnel’ are involved in misconduct under certain conditions, including: 15

“(1) the individual or individuals with operational responsibility for the compliance and ethics program (see §8B2.1(b)(2)(C)) have direct reporting obligations to the governing authority or an appropriate subgroup thereof (e.g., an audit committee of the board of directors);” Amendments to Federal Sentencing Guidelines submitted to Congress on April 29, 2010, to be effective November 1, 2010 (p.17), http://www.ussc.gov/2010guid/finalamend10.pdf. See also Suzanne Barlyn, “Sentencing Guidelines May Boost Compliance” Wall Street Journal, May 3, 2010,

15


http://online.wsj.com/article/BT-CO-20100503-709299.html, and Comment Letter to Sentencing Commission (Greenberg/Boehme, March 21, 2010), http://compliancestrategists.net/sitebuildercontent/sitebuilderfiles/ greenberg.boehme.ussccomments3.22.2010.pdf. For a thoughtful review of the confluence of judiciary, regulatory, agency and other developments setting the parameters for director oversight of compliance and ethics, see Brown, “Evolving Role and Liability of the Board of Directors for Ethics and Compliance Oversight.” 16

“In sum, directors’ responsibility for ethics and compliance oversight emerges from a confluence of many different sources of law and enforcement authority, including major precedents in Delaware, statutory provisions under Sarbanes-Oxley, judicial standards under the FSG, prosecutorial policies as expressed in Department of Justice memos, and prominent deferred prosecution agreements (DPAs) and corporate integrity agreements (CIAs) involving companies such as Tenet, Siemens, and Pfizer.” For discussion of the Caremark legacy, and the impact of Stone v. Ritter, see Walker, Rebecca, “Board Oversight of a Compliance Program—Implications of Stone v. Ritter” (2008), http://corporatecompliance.org/Content/NavigationMenu/Resources/IssuesAnswers/Stone-vRitter_Walker.pdf , and “New Guidance to Governing Board on Compliance Plan Oversight” (Peregrine, Michael, 2007), http://www.mwe.com/info/pubs/AHLAcompliance.pdf. 17

Both the 2004 and 2010 FSG amendments contemplate that the person with day-to-day operational responsibility for the compliance and ethics program will have direct access to the governing authority of the company (i.e., the board). The 2010 amendments further create an incentive for companies to ensure that that person “… has express authority to communicate personally to the governing authority or appropriate subgroup thereof (A) promptly on any matter involving criminal conduct or potential criminal conduct, and (B) no less than annually on the implementation and effectiveness of the compliance and ethics program.” See U.S. Sentencing Commission, Amendments to the Sentencing Guidelines, Policy Statements and Commentary (April 30, 2010), at 18, http://www.ussc.gov/2010guid/finalamend10.pdf. 18

19

The Sarbanes-Oxley Act of 2002 (Pub.L. 107-204, 116 Stat. 745, enacted July 30, 2002).

Good Practice Guidance on Internal Controls, Ethics and Compliance, Annex 2 to Working Group on Bribery in International Business Transactions, Recommendation of the Council for Further Combating Bribery of Foreign Public Officials in International Business Transactions (Paris: Organisation for Economic Cooperation and Development, November, 2009), http://www.oecd.org/dataoecd/11/40/44176910.pdf. 20

See, e.g., “OIG/AHL Corporate Responsibility and Corporate Compliance: A Resource for Health Care Boards of Directors” (2003), http://oig.hhs.gov/fraud/docs/complianceguidance/040203CorpRespRsceGuide.pdf; “An Integrated Approach to Corporate Compliance: A Resource for Health Care Organizations Boards of Directors” (2004), http://oig.hhs.gov/fraud/docs/complianceguidance/Tab%204E%20Appendx-Final.pdf; and “Corporate Responsibility and Health Care Quality: A Resource for Health Care Boards of Directors” (2007), http://oig.hhs.gov/fraud/docs/complianceguidance/CorporateResponsibilityFinal%209-4-07.pdf. 21

Office of Inspector General, Department of Health and Human Services, “Corporate Integrity Agreement between the Office of Inspector General of the Department of Health and Human Services and Tenet Healthcare Corporation” (2006), http://oig.hhs.gov/fraud/cia/agreements/TenetCIAFinal.pdf. 22

Office of Inspector General, Department of Health and Human Services, “Corporate Integrity Agreement between the Office of Inspector General of the Department of Health and Human Services and Pfizer Inc” (2009), http://oig.hhs.gov/fraud/cia/agreements/pfizer_inc_08312009.pdf. 23

Buchanan, Mary Beth, “Settlement Agreement With Mellon Bank, N. A. and United States Attorney for Western District of Pennsylvania” (August 14, 2006), 24

16


http://corporatecompliance.org/Content/NavigationMenu/Resources/IssuesAnswers/LetterUSAttorney_Mello nBank.pdf. “Mellon shall adopt a strong board of directors resolution endorsing and setting requirements for the overall compliance and ethics program. The resolution shall delineate the role of the board in providing oversight of the program, including which committee(s) of independent directors has been delegated such responsibilities. The resolution should provide that the chief compliance and ethics officer serves at the exclusive discretion of the board of directors and has access to the board in executive session. The board shall receive training on exercising its compliance and ethics oversight role.” 25See

“Siemens Goes After Former Board Members” Agenda, January 11, 2010, and “Siemens AG Settlements with Former Board Members” KYC360, December 17, 2009, http://www.nortonrose.com/expertise/businessethicsandanticorruption/default25535.aspx?lang=en-gb. 26See

McNulty, Paul J., “Principles of Federal Prosecution of Business Organizations” 2006, http://www.justice.gov/dag/speeches/2006/mcnulty_memo.pdf, for a discussion of the adequacy of director oversight as a factor to be considered in the evaluation of compliance programs by prosecutors: “In evaluating compliance programs, prosecutors may consider whether the corporation has established corporate governance mechanisms that can effectively detect and prevent misconduct. For example, do the corporation's directors exercise independent review over proposed corporate actions rather than unquestioningly ratifying officers' recommendations; are the directors provided with information sufficient to enable the exercise of independent judgment … and have the directors established an information and reporting system in the organization reasonably designed to provide management and the board of directors with timely and accurate information sufficient to allow them to reach an informed decision regarding the organization’s compliance with the law.” See also U.S. Department of Justice, “Principles of Federal Prosecution of Business Organizations” (928.800: Corporate Compliance Programs), http://www.justice.gov/opa/documents/corp-charging-guidelines.pdf. See speech, “The Process of Compliance,” Lori A. Richards, Director, Office of Compliance Inspections and Examinations, U.S. Securities and Exchange Commission, October 19, 2006, http://www.sec.gov/news/speech/2006/spch101906lar.htm. 27

28For

a further discussion on identifying and developing a board champion, see Boehme, Donna, “Building a Compliance and Ethics Function” Compliance Week (February 13, 2007). Greenberg, Michael D., “Perspectives of Chief Ethics and Compliance Officers on the Detection and Prevention of Corporate Misdeeds: What the Policy Community Should Know” (Conference Proceedings, RAND Corp., 2009), http://www.rand.org/pubs/conf_proceedings/CF258/. 29

Salmon-Byrne, Erica and Frederickson, Jodie, “The Business Case for Creating a Standalone Chief Compliance Officer Position” Ethisphere, May 25, 2010, http://ethisphere.com/the-business-case-for-creating-a-standalonechief-compliance-officer-position/. 30

Chief Ethics and Compliance Officer Working Group, Leading Corporate Integrity: Defining the Role of the Chief Ethics and Compliance Officer (Arlington, VA: Ethics Resource Center, 2007), http://www.ethics.org/resource/ceco. 31

32Hansen,

“Corporate Counsel Perspective: The Crisis of Ethics and the Need for a Compliance Savvy Board.”

Perkins, Tom, “The ‘Compliance’ Board,” Wall Street Journal, Mar. 2, 2007, http://online.wsj.com/article/SB117280725006124469.html. Lamenting the governance trend away from “guidance boards” to “compliance board”: “So where can good directors come from? Easy! A Compliance board director can come from anywhere! The director of a Compliance board listens to consultants and attorneys, before deciding matters. He/she is focused on the regulatory aspects, which are largely industry independent. So 33

17


the Compliance director is ‘plug to plug compatible’ from board to board.” See also Mr. Perkins’s letter of resignation: http://online.wsj.com/public/resources/documents/WSJ_Perkins-to-HP.pdf. Darcy, Keith, “Board Oversight of Compliance, Ethics, Integrity and Reputation Risks: What Directors Need to Know,” in Directors as Guardians of Compliance and Ethics within the Corporate Citadel: What the Policy Community Should Know (Symposium Proceedings, RAND Corp., 2010). 34

Greenberg, Michael D., Directors as Guardians of Compliance and Ethics within the Corporate Citadel: What the Policy Community Should Know (Symposium Proceedings, RAND Corp., 2010). 35

36Greenberg,

Directors as Guardians of Compliance and Ethics within the Corporate Citadel: What the Policy Community Should

Know. 37Boehme,

Donna, “Not Your Father’s Board Training: What Today’s Boards Need to Know About Compliance and Ethics” (EthicsPoint Webinar, February 18, 2010), http://www.ethicspoint.com/event/not-your-fathersboard-training---what-todays-boards-need-to-know-about-ethics-and-compliance; List of Directors Questions, Directors as Guardians of Compliance and Ethics within the Corporate Citadel: What the Policy Community Should Know (Symposium Proceedings, RAND Corp., 2010). 38

See sample board training plan contained in “Not Your Father’s Board Training: What Today’s Boards Need to Know About Compliance and Ethics” (Boehme, February 18, 2010), attached in Appendix 3L on page A-101. 39

For an example of meaningful statistics that can be reported from a robust retaliation monitoring program, see “KPMG Ethics and Compliance Report 2009,” pp 14-17, https://www.amr.kpmg.com/facultyportal/NR/rdonlyres/26E974D8-1F10-4FE0-9DE87925BC59147C/0/EaCReport2009final_web.pdf. 40

18


Appendix 3K Twenty Questions That Boards Of Directors Should Ask About Compliance And Ethics* A. Context and Landscape 1.

What are the elements of the company’s C&E program? How does each of the elements meet the guidelines set out by the US Federal Sentencing Guidelines or other relevant standards?

2.

What is the budget for the C&E program?

B. Role of the Board 3.

What board committee oversees the C&E program? How does the board discharge its legal and extralegal obligations for oversight of the C&E program? What is the method and frequency of C&E reporting to the board, and of board contact with the CECO?

4. How will the board obtain and evaluate the appropriate training and information to discharge its C&E responsibility? How often will the board include C&E on its agenda?

C. Structure and Role of the Compliance and Ethics Officer and Function 5. 6.

7.

What high-level corporate personnel are responsible for the implementation, operation, and oversight of the C&E program? Who is the company’s chief compliance and ethics officer (CECO) ? Is she a senior executive with experience, seniority, authority, autonomy, time, and resources sufficient to do the job? Who does the CECO report to, and what measures are in place to protect her ability to discharge the role with sufficient authority and independence? Does the CECO have unfiltered access to the CEO and board? Has the board passed a resolution setting out the express mandate for the CECO and the compliance function? What are the full- and part-time resources in place to support compliance and ethics? Are compliance-related activities assigned across various levels in the organization? Are managers held accountable for meeting these objectives through the performance review process?

D. Program Status and Operation 8.

How are the company’s compliance and ethics programs structured? Do they cover the company’s high priority risks and global operations, including business partners, vendors, subcontractors, and third-party relationships? What policies, procedures, and internal controls are in place to manage high priority risk areas? 19


9.

What has management (both at the top and in the middle ranks of the organization) done — in both words and visible action — to support ethical conduct and legal compliance? Is the CECO involved and consulted on a regular basis by management regarding the culture of the organization, and how this supports ethical conduct and business decisions that comply with all rules and procedures?

10.

What is the process for assessing C&E risks in the organization? Has the company developed and prioritized an inventory of C&E risks?

11.

Where in the Code of Ethics/Conduct are responsibilities of all managers, employees, and third parties covered? How are those responsibilities communicated within the company?

12.

How does the organization support ethical culture? What is the C&E training program for all levels of the company, including board of directors, managers, employees, and third parties?

13.

How does the culture of the organization support the raising of concerns? What are the mechanisms for raising confidential whistleblower concerns, without fear of retaliation, to the top of the organization, including investigation and follow-up protocols?

14.

What ongoing reporting, monitoring, and audit processes are in place to assess the effectiveness of the C&E program?

15.

How does the organization embed ethical leadership and culture throughout its management, e.g. incentives and linkage to compensation and the performance evaluation processes?

16.

What mechanisms does the Company have in place to regularly and systematically review C&E failures and respond appropriately, including remedial action and improvements to the C&E program?

17.

How does the company ensure consistent disciplinary action and enforcement of its Code of Ethics/Conduct at all levels, including senior management?

E. Closing Questions for the CECO 18.

What support does the C&E function receive from the CEO and senior management team?

20


19.

Has the board had the program evaluated by a qualified independent expert? Has it performed a cultural assessment? How does the company program compare to its peers, and to best practice in the field?

20.

What keeps you (the CECO) up at night? Are there any other matters you wish to raise to the attention of the board (or independent board committee)? What other questions should we be asking you?

*REPRINTED BY PERMISSION Appendix to RAND Symposium May 12, 2010: Directors as Guardians of Corporate Compliance and Ethics within the Corporate Citadel: What the Policy Community Should Know (RAND Center for Corporate Ethics and Governance).

21


Appendix 3L: Web Conference

22


23


24


25


26


Appendix 3M Web Conference Q&A: Not Your Father’s Board Training The following Q&A responds to questions received during Donna Boehme’s EthicsPoint webinar (and by email) Not Your Father’s Board Training: What Today’s Boards Need to Know About Ethics and Compliance on February 18th 2010. Nothing in this Q&A is intended to constitute legal advice. Further resources, including webinar slides and a white paper examining the Board oversight role for compliance and ethics, may be found at http://compliancestrategists.com under “Resources.”

Questions

Answers

How fully do these governance challenges apply to non-profit boards?

Nonprofit boards are just as susceptible to stakeholder expectations for firm oversight over compliance and ethics. Some of the factors we mentioned in the webinar, such as SOX, refer to public companies, but many others such as the FSG refer to organizations, public or private, for profit or nonprofit. In addition, trust, the license to operate and reputation for nonprofits is an enormous asset and responsibility for their boards- witness ACORN, Covenant House, or any other charity that has run into serious problems. Many nonprofit boards lack the focus and rigor required for board members to understand and fulfill their oversight responsibilities, and similarly any formal programs for compliance and ethics- an untenable condition in today’s environment.

You mentioned one pending change to the FSG. Can you highlight other changes?

Other changes to Ch 8 (organizations) include a confusing highlight of document retention policies (in our view, not a silver bullet), and what companies should do as soon as they discover potential wrongdoing to qualify for leniency under the FSG, including consideration of a corporate monitor and prompt disclosure to authorities. There is a good article summarizing the proposed FSG amendments in which I am quoted on the CS website at http://compliancestrategists.com under “In the Media.”

27


When you refer to the “board”, is it okay to give reports/ training to a committee of the board rather than the whole board?

Yes and no. The FSG and other guidances/regulations contemplate that oversight may be conducted by an independent committee of the board such as the Audit or Ethics Committee. For C&E reporting in large companies, independent committee oversight is the norm. (It is then the responsibility of the committee to keep the full board informed, which is a governance matter). However, certain training should be given to the entire board, such as role and responsibilities, code of conduct and potential risks created by the board. I recommend that the full Board receive at least one annual training so that they understand their role, risks, the code & the context and significance of the independent committee’s remit. Also important, in the event there are problems, the full board needs to be on the same page and have discussed how they will approach/resolve a major C&E issue.

What other non-helpline metrics can you suggest?

It will always vary by company, but the rule of thumb is to identify metrics that would be meaningful to the Board’s understanding of program progress and effectiveness. For instance, if the CECO has been successful in embedding c&e action items into the business operations (a best practice), then monitoring and measuring progress against these goals can be a very useful metric. Employee surveys are also useful, especially if the CECO has mastered the art and science as to how the questions are worded and how the surveys are administered in order for the results to be meaningful. When I work with clients, one of the goals is to identify these metrics early on in the process so that a baseline can be set and measured against. There have been various surveys conducted over the years. In my view the best practice is an integration of ethics and compliance- neither can operate in a vacuum. There are many potential structures for doing this.

Do you have a rough estimate(%) of companies that have a separate ethics department from the compliance department? Can you give an example of See answer above. In addition, when looking at helplines, it is some metrics that were deemed useful to understand more than just raw number of calls. meaningful to certain boards? Results such as process improvements and disciplinary action are useful. Do you have an example of a I may have something I have presented at conferences that I dashboard/report card that you could post on my website- will check. It’s obviously fit to can share? purpose for companies based on risk profile, industry, company structure, program stage etc.

28


Do we have to worry the board of the details which could be later be discovered in external audits/investigations?

How do you convey the board’s need to know about the company without rushing them into getting involved in actual management of the company?

This is a bit like the question of whether people should avoid risk assessments because if they find a risk then they might be on the hook for addressing it. Depending on circumstances, some Board briefings are privileged (such as when a report is in preparation of litigation). But under normal circumstances Board briefings (not just c&e) are subject to discovery. Finance, audit, security, environmental have always brought important data to the Board and it is at the heart of the Board’s role to review and evaluate the data, ask hard questions. The focus should be: 1) what does the board need to know in order to effectively discharge its oversight responsibility for compliance and ethics and 2) what does the Board do with the information? Would the Siemens board have been better off avoiding the details of corruption that were rampant in the company? At the end of the day, the Board will be responsible for what they knew or should have known. Hiding their heads in the sand is no longer a successful defense for either Boards or management. Caremark and Stone have confirmed that directors are not required to “ferret out” wrongdoing absent red flags. At the same time, Stone emphasized that directors need sufficient information to conduct their oversight duties. After Stone, directors should consider expanding the type of information they receive- helpline stats alone clearly do not deliver what is needed for directors to be “knowledgeable” about the content and operation of their programs. CECOs must deliver a careful balance of necessary information, statistical & anecdotal, backing up the CECO’s opinion about risk, gaps, and program status and effectiveness. It’s useful to have a resolution escalating any alleged wrongdoing by senior management to Board attention (since those are the folks who most need oversight) and other areas which would be “red flags” that boards need to see. The content of those board resolutions can set forth the rule of thumb for what board needs to see. An experienced CECO will deliberate over board reports to maintain the careful balance you raise. The Corporate Secretary can sometimes be a good resource to discuss the content of Board reports in this area, but the CECO needs to make some independent judgments, without interference or pressure, about what the Board needs to know to exercise its oversight.

29


Who should conduct Board training- should we bring in an outside expert?

My updates to the Board are often “watered down” by the General Counsel. What do you suggest I do?

A few thoughts on this. First all Boards are unique and training needs to fit the need. If the CECO is strong and knowledgeable, with sufficient clout and standing within the company, she is probably in the best position to deliver focused, relevant Board training. For other Boards, an outside expert (perhaps working with the CECO to make it relevant) might be the right fit. The old (your father’s) Board training model conducted by a law firm partner (always happy to take your money and entry to the board) who bloviates about Enron/Worldcom, mile-high compliance discussion, scary big fines, is less effective than an experienced compliance and ethics professional who can give the board a much more relevant, balanced grounding in the basic issues and a ‘view from the trenches’. In many cases, an outside expert can help create the dialogue and get the Board’s attention, followed by ongoing periodic c&e reports from the CECO. One reason I conducted this webinar is to give CECOs some ammunition to review with the PTB in their companies regarding Board training and direct, unfiltered access to the Board. The weight of the FSG, case law and other guidance is firmly on the CECO side of this argument. The fact that in the current proposed FSG amendments, one specific question asked by the Sentencing Commission on unfiltered access by the CECO shows that the tide is turning. As we discussed, the line CECOs need to draw is between filtering and accuracy. When I was in-house as a CECO, my rule was that C&E would discuss any factual inaccuracy (including work with the businesses to make changes that would “yield” different factual description in the final report- often a productive exercise if handled correctly), but that we would not change my opinion unless driven by the facts. The CECO is the SME of the program should be empowered to issue such opinion without undue pressure or concern about retaliation. But then, that’s a whole ‘nother topic for another day!

30